Wireless communications systems refer generally to any telecommunications systems which enable wireless communication between the users and the network. In mobile communications systems, users are able to move within the coverage area of the network. A typical mobile communications system is a public land mobile network (PLMN). The present invention can be used in different mobile communications systems, such as the Universal Mobile Communications system (UMTS) and the IMT-2000 (International Mobile Telecommunication 2000). In the following, the invention is described by way of example with reference to the UMTS, more specifically to the UMTS system being specified in the third generation partnership project 3GPP, without restricting the invention to it.
In systems using encryption, a number based on a radio frame or on a protocol PDU (packet data unit) sequence is often used as a constantly varying input to a ciphering algorithm. In some documents, the radio frame-based number is called a Connection Frame Number (CFN). However, a connection frame number or a PDU sequence number (used for retransmission purposes and the like) by itself is too short for reliable ciphering. In many radio systems, such as the UTRAN (UMTS Terrestrial Radio Access Network) in the 3GPP project, ciphering is employed in the radio access network (RAN) between a terminal and a network node, such as a Radio Network Controller RNC. In addition to the CFN or PDU number and the actual cipher key, the ciphering algorithm may use other inputs, such as the direction of the transmission and/or the radio bearer used in the transmission.
Typically a frame number extension (a “hyper-frame number”, HFN) is introduced which is stepped (typically incremented) when the short number (the CFN or the PDU sequence number) completes one period. The HFN together with the short number form an actual input (called a count parameter) to the ciphering algorithm. The purpose of the count parameter is to ensure that the same ciphering mask is not produced within too short a period of time. If (re)authentication and key change is performed, the count parameter (together with the HFN) can be reset to zero. Between two consecutive connections, the terminal stores the HFN into a non-volatile memory, such as the USIM (UMTS Subscriber Identity Module) in third generation user equipment (MS).
A similar input parameter, called COUNT-I in the 3GPP specifications, is required for the integrity protection algorithm to prevent replays during a connection. (A replay is an attempt to disrupt communication integrity by capturing and re-sending data packets or radio frames.) The COUNT-I parameter is also initialized with the HFN and incremented for each transmitted integrity-protected message.
FIG. 1 illustrates a situation in which one radio access network RAN is connected to two (or more) core networks CN. There is a circuit-switched core network CS-CN and a packet-switched core network PS-CN.
The approach described above is sufficient if the RAN is connected to one core network only. A network architecture having multiple core networks may involve a hard-to-detect problem which will be described later. For example, a UTRAN radio access network can be connected to a circuit-switched core network CS-CN and a packet-switched core network PS-CN. The circuit-switched core network CS-CN comprises a Mobile services Switching Centre/Visitor Location Register MSC/VLR. The packet-switched core network PS-CN comprises a Serving GPRS Support Node SGSN.
The following description makes use of the terms ‘user plane’ and ‘control plane’. All information sent and received by the mobile station user, such as coded voice in a voice call or packets of an Internet connection, are transported on the user plane. The control plane is used for all UMTS-specific control signalling, which is normally not directly visible to the user. Some exceptions may exist, for example user-produced short messages can be sent on the control plane. In the radio interface, data from the user plane and control plane can be multiplexed onto the same physical channel.
Let us first assume that the USIM establishes cipher keys with both the CS and the PS core network domains. On the user plane, the user data connections towards the CS service domain are ciphered with a cipher key CKCS that is established between a mobile station (MS) user and the CS core network service domain, and identified in the security mode setting procedure between the UTRAN and the mobile station. The user data connections towards the PS service domain are ciphered with the cipher key CKPS that is established between the user and the PS core network service domain, and identified in the security mode setting procedure between the UTRAN and the MS. The ciphering process is illustrated in FIG. 2. In this example, the input parameters to the ciphering algorithm f8 are the Cipher Key CK, a time dependent count parameter C, the bearer identity B, the direction of transmission D and the length L of the keystream required. Based on these input parameters (CK, C, B, D, L), the algorithm generates an output keystream block which is used to encrypt the input plaintext block PB. The result of the encryption process is a ciphertext block CB.
As shown in FIG. 3, another key is needed on the control plane, in addition to the cipher key CK. This key is called an integrity key IK. The integrity key is used as an input to an integrity protection function f9, which calculates a Message Authentication Code MAC-I to be appended to signalling messages. FIG. 3 illustrates the calculation of the MAC-I code(s) both on the sender side and on the receiver side. Besides the integrity key IK, some other parameters are used to calculate the message authentication code. COUNT-I is a time varying counter, which is basically similar to the count parameter C shown in FIG. 2 (and which will be described in more detail in connection with FIG. 4). A preferred implementation of the COUNT-I parameter is the hyperframe number HFN combined with a signalling message sequence number. The direction bit D has been described in connection with FIG. 2. The UTRAN provides a random value F called “fresh”. Other inputs are the radio bearer ID and the actual message M whose integrity is to be protected. In the implementation shown in FIG. 3, the radio bearer ID is included in one of the other input parameters, for example in the message M. The hyperframe number for integrity protection (HFN-I) may be separate from the hyperframe number used for ciphering (HFN-C). A calculated message authentication code MAC is needed to verify the origin of signalling messages. When a security mode setting procedure between the UTRAN and the MS is performed, the cipher/integrity keys set by this procedure are applied to the control plane, whatever core network service domain is specified in the procedure. This may require that the cipher and/or integrity keys of an (already ciphered and/or integrity protected) ongoing signalling connection (control plane connection) be changed.
An issue to be observed is that the count parameter C should never repeat unless some of the other parameters to the algorithm have changed. This is especially critical to ciphering, but it is also necessary for integrity protection. As the HFN is used to initialize the count, the HFN value stored in the USIM should never decrease unless the key with which the HFN was used is changed. If the stored HFN is common to both the CS domain and the PS domain, there is a possibility that HFN values (and thus the count parameters) are reused with same ciphering (and integrity) key. This problem can be illustrated by the following example.
Let us assume that an MS user establishes first a connection with a circuit-switched (CS) service domain and obtains a key set (ciphering and integrity keys, CK+IK) during an authentication procedure. The user plane radio bearer utilizes the CKCS and the control plane signalling radio bearer utilizes CKCS and IKCS. Three HFNs are initialized:
1) HFN-CUP1 (HFN for Ciphering User Plane bearer number one);
2) HFN-CCP1 (HFN for Ciphering Control Plane bearer number one);
3) HFN-I (HFN for integrity protection on the control plane).
In practice, the uplink and downlink directions in each radio bearer may require separate hyperframe numbers. In other words, there may be as many as six separate HFNs, but this is not relevant to describing the problem. More than one HFN-CUP and HFN-CCP can exist, but in this example only one user plane and one control plane radio bearer is assumed. Separate initialization values for the HFN-C and the HFN-I can be read from the USIM. For simplicity, let us assume in this example that all the hyperframe numbers start from zero.
Next, the connection is released. One HFN-C and one HFN-I (the highest ones used during the connection) are stored into the USIM. For example, let us assume a value of 1000 for the HFN-C and HFN-I. Furthermore, the ciphering key CKCS for the CS domain and the integrity key IKCS remain in the memory of the MS for possible future use.
Next, a connection to the packet-switched (PS) service domain is established. The HFN-C for ciphering and the HFN-I for integrity protection are read from the USIM and transmitted to the UTRAN. A potential residual problem is that the hyperframe numbers in the USIM are related to the CS domain connection but are now to be used for the connection in the PS domain. Assuming that an authentication procedure (and a key change) is executed with the PS domain, the problem appears to be solved, since the hyperframe numbers HFN-I and HFN-C are reset to zero after authentication. However, let us continue our example and assume that during this PS connection, after authentication and key change, the HFN values increase only as high as 500. When the PS connection is released, this value is stored into the USIM.
Finally, a new connection is established to the CS domain. Assuming that this time no authentication is performed at the beginning of the connection, the old ciphering key CKCS and integrity key IKCS are taken into use, with the HFN values read from the USIM. A consequence is that HFN values of 501 to 1000 with CKCS would be reused, which may compromise data security.